IRS Can’t Update Woefully Out-of-Date Windows Servers Because It Can’t Find Some of Them

IRS headquarters in Washington, DC.

IRS headquarters in Washington, DC. Andrew Harnik/AP

The agency is only halfway through a planned upgrade of Windows servers.

The Internal Revenue Service couldn’t transition 1,300 of its workstations from Microsoft Windows XP to Windows 7 because the agency couldn’t find them all, according to a report released by the Treasury Inspector General for Tax Administration.

The report describes IRS’ uneven attempt to upgrade 110,000 workstations before Microsoft discontinued technical support for the XP operating system. The report also noted several thousand servers are still running Windows Server 2003.

On the XP upgrade alone, the IRS has spent $128 million since 2011 and has budgeted another $11 million through fiscal 2015. The IG contends outdated workstations – in this case, several years outdated – pose “significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link.”

Earlier this year, IRS suffered a data breach that compromised 114,000 taxpayer accounts, and old workstations only increase the odds of further data breaches by hackers.

“Approximately 1,300 workstations have yet to be located or confirmed as running the old operating system,” the audit stated. “External hackers or malicious insiders need to locate only the one computer with security weaknesses, such as one with an outdated operating system, to exploit in order to steal data or further compromise other computers.”

The IG contends IRS should have maintained better oversight of the project and also criticized the efforts of IRS’ chief technology officer, who oversaw the Windows 7 upgrade. An executive steering committee similar to those chartered to govern other large-scale IT upgrades, would have been a better oversight option, the IG contended.

“Despite the eventual progress made by the IRS on the Windows XP upgrade efforts, we believe the IRS provided inadequate oversight and monitoring during the early phases of this effort, starting with including it among other Microsoft product upgrades rather than making this effort its own project up to the decision made by the CTO to oversee the project himself,” the report stated.

The IRS has been slow to upgrade its servers, too.

“The IRS is only halfway through completing its upgrade of its Windows servers to an operating system that is already 7 years old,” the audit stated.

In total, the IRS has approximately 3,000 Windows still running the 2003 operating system, while about 4,000 have been upgraded to the 2008 version. The IRS has been in the process of upgrading its existing servers to Windows Server 2012 – which has many additional security improvements, like two-factor authentication – but to date has not upgraded a single server with it.

“The IRS only recently, in March 2015, assigned a project manager over the migration to Windows Server 2012, and basic planning documents such as budget estimates and deployment schedules are still unsigned and incomplete,” the audit stated.